Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Five Questions About Books and Records Compliance

Bart Siegel

Organizations are starting to see increased interest and scrutiny by regulators, including the Financial Industry Regulatory Authority (FINRA), in electronic recordkeeping requirements beyond email.

FINRA enforcement actions related to electronic communications, including email, instant messaging, texts and social media posts, surged in 2013 to 66 cases and $15.1 million in fines* and have remained robust in subsequent years.

At the same time, regulators have largely not focused on other records, such as trade blotters, transaction logs and client on-boarding communications. Many of the enforcement actions to date that reference recordkeeping requirements are secondary to other rule violations, including the inability to produce records or inaccurate records being produced.

Starting in early 2016, FINRA signaled increased interest in institutions’ other books and records, including documents and database records, as indicated in its enforcement priorities.

Broker-dealers can benefit from recognizing this increased focus and taking steps to review and, as necessary, shore up their recordkeeping technology implementations and governance. Following are key questions organizations may want to consider regarding books and records compliance.

Paul Yackinous

What are the regulatory requirements pertaining to the electronic storage of Securities and Exchange Commission (SEC) required books and records?

SEC Rule 17a-3 and related regulations catalogue the broad range of record types that FINRA members, brokers and dealers are required to preserve. The conditions under which these records must be kept are documented in SEC Rule 17a4-f.

A large broker-dealer may be required to produce and properly store several hundred different types of records, largely based on the types of products they sell, market or service. In addition to the sheer number of record types, many of the records are assembled from data stored in multiple information systems, external sources and markets.

What factors are driving the increased emphasis on books and records?

FINRA has signaled a growing focus on records. FINRA-ordered restitution payments to investors tripled from 2014 to 2015. Among FINRA’s 2016 enforcement priorities is the review of firms’ ability to protect customer information in accordance with SEC Rule 17a-4(f). Such protection includes the preservation of electronically stored records in a non-rewriteable, non-erasable format. Also, the FINRA Series 27—Financial and Operations Principal Exam now includes questions regarding how firms maintain required books and records beyond those pertaining to electronic communications.

As an aside, Deloitte is seeing a significant up-tick in inquiries about books and records from clients who are broker-dealers and service providers, both pro-actively and as a result of regulatory action.

What are some of the potential risks associated with increasing FINRA enforcement?

Many large firms have faced enforcement actions regarding the electronic communications aspects of Rule 17a-4(f) in past years. In such cases, the SEC typically issues a fine and, importantly, enjoins the firm against violating that rule again. Firms that have already seen enforcement actions related to electronic communications face increased scrutiny and regulatory action if they are found to be violating SEC Rule 17a-4 with respect to other books and records.

In addition, many firms do not have the inventory of records required based on regulation fully documented. Since these records go far beyond electronic communications, it may be difficult for firms to understand their regulatory exposure.

What are some challenges that firms face in addressing the expanding FINRA scrutiny?

Often, the first challenge for firms is to identify which records they need to produce and retain. Building an inventory starts with understanding the products around which the firm conducts business, which rules apply to those products and what records the rules require be created. In completing these inventory exercises, some firms have found that they are either not storing required records appropriately, or are not creating the records in the first place. Both types of shortcomings must be addressed to remain compliant and avoid enforcement actions.

Another challenge is understanding and applying regulatory requirements written to address antiquated technologies—such as optical platters, microfiche and microfilm—to today’s complex world of integrated software and hardware archives. Understanding the nuances of the recordkeeping requirements likely will require involvement of technology professionals, compliance officers and legal departments as well as outside counsel.

What actions can firms take to address increasing books and records scrutiny and potential sanctions?

An important first step is to assemble a books and records task-force or steering committee. This group, which can include such stakeholders as legal, compliance, risk, records management, IT and business operations, provides the structure for the records inventory and subsequent action. Next steps can include technology and business representatives working jointly to develop compliance requirements for Rule 17a-4(f) based on reasonable regulatory interpretation. Further, firms should evaluate their electronic recordkeeping systems for adherence to their recordkeeping requirements.

Also important is establishing governance, risk and control frameworks that foster compliance sustainability. Without ongoing management, compliance status can quickly deteriorate.

Takeaway

A firm that lacks a good understanding of its books and records status may end up having to address these issues under the pressures and tight time-lines of a periodic financial operations examination. Alternatively, some other problems may arise that require interaction with regulators. Whatever the case, having a defensible program for evaluating and improving compliance can be a far better option than having to scramble reactively when the regulators are at the door.

—Produced by Bart Siegel, managing director, and Paul Yackinous, senior manager, both in the Deloitte Discovery practice of Deloitte Transactions and Business Analytics LLP

Related Deloitte Insights

Culture is often an overlooked foundation of an organization’s strategy and performance. Yet today diagnostic tools, cognitive analytics, risk sensing and other technologies can provide organizations insights into day-to-day risk factors embedded within their cultures. Carey Oven, Deloitte Risk and Financial Advisory partner, Deloitte & Touche LLP, discusses the challenges organizations face in improving their culture risk profile and ways they can help protect their culture and monitor risks that could damage it.

As chief risk officer of American Express, Paul Fabara is remaking compliance and risk management by driving the use of technology and data analysis, including development of an early-warning system to detect potential risks. He discusses how he has worked with the business units and board to carve out a new role for compliance and risk and how the functions have ramped up to contribute to decision-making at the operational and strategic levels, with Ash Raghavan, principal, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP.

The recently passed tax legislation is expected to have significant and immediate financial reporting impacts on organizations. “The enactment of the new tax law in the closing days of 2017 presented a major challenge for publicly traded companies that are required to account for and disclose the effects of a change in tax law in the period of enactment,” notes Steve Kimble, chairman and CEO, Deloitte Tax LLP. Learn about the tax law changes that could have a significant financial statement impact, including in the areas of deferred tax assets and liabilities, recognition of a foreign subsidiary liability and tax credits.

Views & Analysis

Although board seats don’t become available all that often, as more organizations broaden their definition of diversity the pool of potential candidates is expanding. What does it take to land such a spot? Industry and international experience, a knowledge of risk and technology issues, and personal traits that range from intellectual curiosity to unassailable integrity are just some of the qualities and qualifications that matter. Learn how to assess your viability and what steps you might take to enhance your appeal to search committees.

Continued uncertainty about the economy and increased regulation across several industries have required a more informed and efficient use of capital. Working with management, the board of directors can play a fundamental role in the capital allocation process through its oversight function, including participating in strategy development, examining risks, comparing strategy to results and focusing on key investment terms. Understand how boards can help guide the capital allocation process by challenging business plans and strategy, and reviewing capital allocation alternatives, among other efforts.

As proxy season approaches, several governance issues and proposals are likely to emerge, reflecting shareholders’ increased attention to how companies’ stances on governance matters can impact shareholder value, according to Carol Schumacher, who has held roles as investor relations (IR) officer and corporate affairs officer at a Fortune 10. She discusses shareholders’ expectations for the governance information that management provides, and what IR can do to help companies respond, in a conversation with Sanford Cockrell III, U.S. national managing partner, CFO Program, Deloitte LLP.

Editor's Choice

Boards and C-suite executives overwhelmingly see risk as having an important role in value creation, but just 17% of respondents say they are actively using risk to drive returns, according to a new global survey from Deloitte. The survey also found that senior stakeholders want chief risk officers to spend significantly more time playing the strategist role, with a majority of respondents saying their risk officers should participate more in setting the strategic direction of the company and aligning risk management strategies accordingly.

Traditionally, internal audit (IA) has focused on providing assurance with respect to known risks and the effectiveness of controls in mitigating those risks. Regulators, however, are increasingly interested in an organization’s ability to identify blind spots and other vulnerabilities that may undermine the integrity of the risk management environment, including the risk of misconduct. IA functions can play a pivotal role by substantively testing culture and identifying potential risk-related outliers that may not be visible via other means, such as supervisory frameworks, escalations, compliance assessment and testing, and previous audits.

Identifying and managing strategic risks can be a difficult task. To add to the challenge, many companies have traditionally separated their risk and strategy functions and think of risk as more of a compliance responsibility rather than a dynamic tool for value creation, business performance management and growth. However, companies that align strategy and risk can be better served to allow for a process of “strategic resiliency,” which involves anticipating, knowing and acting on risks when introducing or executing new strategies as a way of increasing the chances of success in spite of uncertainty.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.